Commit 088dfa13 authored by Todd Short's avatar Todd Short Committed by Matt Caswell
Browse files

Add option to disable Extended Master Secret 



Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either
an SSL or an SSL_CTX. When processing a ClientHello, if this flag
is set, do not indicate that the EMS TLS extension was received in
either the ssl3 object or the SSL_SESSION.  Retain most of the
sanity checks between the previous and current session during
session resumption, but weaken the check when the current SSL
object is configured to not use EMS.

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3910)
parent 9fc8f18f

doc/man3/SSL_CONF_cmd.pod

+4 −0
Original line number Diff line number Diff line
@@ -486,6 +486,10 @@ specification. Some applications may be able to mitigate the replay risks in 
other ways and in such cases the built-in OpenSSL functionality is not required.

Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>.



B<ExtendedMasterSecret>: use extended master secret extension, enabled by

default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,

B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.



=item B<VerifyMode>



The B<value> argument is a comma separated list of flags to set.

doc/man3/SSL_CTX_set_options.pod

+11 −1
Original line number Diff line number Diff line
@@ -198,6 +198,14 @@ RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. 
If this option is set, Encrypt-then-MAC is disabled. Clients will not

propose, and servers will not accept the extension.



=item SSL_OP_NO_EXTENDED_MASTER_SECRET



Normally clients and servers will transparently attempt to negotiate the

RFC7627 Extended Master Secret option on TLS and DTLS connection.



If this option is set, Extended Master Secret is disabled. Clients will

not propose, and servers will not accept the extension.



=item SSL_OP_NO_RENEGOTIATION



Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
@@ -366,9 +374,11 @@ OpenSSL 0.9.8m. 
The B<SSL_OP_PRIORITIZE_CHACHA> and B<SSL_OP_NO_RENEGOTIATION> options

were added in OpenSSL 1.1.1.



The B<SSL_OP_NO_EXTENDED_MASTER_SECRET> option was added in OpenSSL 3.0.0.



=head1 COPYRIGHT



Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.

Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.



Licensed under the Apache License 2.0 (the "License").  You may not use

this file except in compliance with the License.  You can obtain a copy

include/openssl/ssl.h

+12 −9
Original line number Diff line number Diff line
@@ -297,23 +297,26 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); 
typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);



/*

 * Some values are reserved until OpenSSL 1.2.0 because they were previously

 * Some values are reserved until OpenSSL 3.0.0 because they were previously

 * included in SSL_OP_ALL in a 1.1.x release.

 *

 * Reserved value (until OpenSSL 1.2.0)                  0x00000001U

 * Reserved value (until OpenSSL 1.2.0)                  0x00000002U

 */



/* Disable Extended master secret */

# define SSL_OP_NO_EXTENDED_MASTER_SECRET                0x00000001U



/* Reserved value (until OpenSSL 3.0.0)                  0x00000002U */



/* Allow initial connection to servers that don't support RI */

# define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004U



/* Reserved value (until OpenSSL 1.2.0)                  0x00000008U */

/* Reserved value (until OpenSSL 3.0.0)                  0x00000008U */

# define SSL_OP_TLSEXT_PADDING                           0x00000010U

/* Reserved value (until OpenSSL 1.2.0)                  0x00000020U */

/* Reserved value (until OpenSSL 3.0.0)                  0x00000020U */

# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x00000040U

/*

 * Reserved value (until OpenSSL 1.2.0)                  0x00000080U

 * Reserved value (until OpenSSL 1.2.0)                  0x00000100U

 * Reserved value (until OpenSSL 1.2.0)                  0x00000200U

 * Reserved value (until OpenSSL 3.0.0)                  0x00000080U

 * Reserved value (until OpenSSL 3.0.0)                  0x00000100U

 * Reserved value (until OpenSSL 3.0.0)                  0x00000200U

 */



/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */

ssl/ssl_conf.c

+2 −1
Original line number Diff line number Diff line
@@ -380,7 +380,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) 
        SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),

        SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),

        SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),

        SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY)

        SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),

        SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET)

    };

    if (value == NULL)

        return -3;

ssl/statem/extensions.c

+1 −2
Original line number Diff line number Diff line
@@ -1169,7 +1169,6 @@ static int init_etm(SSL *s, unsigned int context) 


static int init_ems(SSL *s, unsigned int context)

{

    if (!s->server)

    s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;



    return 1;